Description
In the Linux kernel, the following vulnerability has been resolved:

cifs: some missing initializations on replay

In several places in the code, we have a label to signify
the start of the code where a request can be replayed if
necessary. However, some of these places were missing the
necessary reinitializations of certain local variables
before replay.

This change makes sure that these variables get initialized
after the label.
Published: 2026-04-30
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CVE details a bug in the Linux kernel's CIFS driver where local variables are not reinitialized after a replay label. Operating on these uninitialized values can lead to kernel memory corruption or a crash, potentially causing a denial of service. The description does not mention privilege escalation, so that possibility is unsupported by the data.

Affected Systems

The flaw exists in the Linux kernel across all versions that have not incorporated the fix in commit 14f66f4 (or later commits). The kernel patch is referenced via several commit URLs; any distribution kernel that has not applied these commits is potentially vulnerable.

Risk and Exploitability

No CVSS score is available, and the EPSS score is not provided, so the severity and exploitation likelihood cannot be precisely quantified. The issue resides in the CIFS driver, so a likely attack vector would involve an attacker manipulating SMB traffic to trigger a replay, but this is inferred rather than explicitly stated. The vulnerability is not currently listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 1, 2026 at 05:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes commit 14f66f4 or later commits that address the missing reinitializations.
  • If an immediate kernel update is not possible, block or restrict SMB traffic (TCP port 445) from untrusted networks as a temporary containment measure.
  • As a further temporary measure, consider disabling or unloading the CIFS module to remove the vulnerable code path.
  • Monitor vendor advisories and kernel mailing lists for additional patches or updates addressing this issue.

Generated by OpenCVE AI on May 1, 2026 at 05:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-909
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 01 May 2026 05:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-457

Thu, 30 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: cifs: some missing initializations on replay In several places in the code, we have a label to signify the start of the code where a request can be replayed if necessary. However, some of these places were missing the necessary reinitializations of certain local variables before replay. This change makes sure that these variables get initialized after the label.
Title cifs: some missing initializations on replay
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-01T13:47:53.806Z

Reserved: 2026-03-09T15:48:24.131Z

Link: CVE-2026-31693

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-30T12:16:24.103

Modified: 2026-04-30T17:11:25.563

Link: CVE-2026-31693

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-30T00:00:00Z

Links: CVE-2026-31693 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T05:15:09Z

Weaknesses